I have a configuration with two sites (in fact many pairs like this, but the
issue is the same for all pairs) with 5GTs, running all 5.3.0r4.0, connected
via site-to-site VPN. There are no restrictions of traffic between the LANs
behind the internal interface of each firewall, and no content rules (took
them all out). On each LAN there is a Win2K3 DC, and all of those DCs
communicate and sync just fine (i.e. normal Active Directory traffic works
perfectly)
When trying to use WMI mmc - i.e. query for WMI properties from one DC to
another (which consists of some sort of RPC mapper process, first, followed
by a DCE end points comm attempts, from a source dynamically assigned TCP
port (the querier) to the destination (the queried system) - always on
TCP135) this alwasy fails.
What I can see from a trace being taken on the two DCs is that a specific
segment sent by the querying machine never makes it through the tunnel to the
other DC (getting dropped by the firewall). Does anybody see anything odd in
such (failed/being dropped packet here attached - hoe this mailing list
accepts attachments), that would lead to the above described failure?
NOTE!! TCP checksum incorrect, as reported in the capture, is a tshark
interpretation. Same "error" showing up in other traces does not keep other
segments crossing the tunnel, and same "error" does not keep other DCs, on a
LAN, to work just fine for the WMI queries. It is just the site-to-site
VPN-oposed-DCs that fail.
TIA,
Stefan
failed-packet.txt
Description: Text document
_______________________________________________
nn mailing list
nn@qorbit.net
http://qorbit.net/mailman/listinfo/nn
|